7x31/cmdb
1
0
Fork 0
mirror of https://github.com/veops/cmdb.git synced 2025-08-09 22:38:53 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: secrets

Browse Source
This commit is contained in:
pycook
2023-10-27 17:42:49 +08:00
parent 6fff2fe9df
commit 27a1c75a25
7 changed files with 98 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
cmdb-api/api/commands/click_cmdb.py
View File

@@ -29,10 +29,9 @@ from api.lib.perm.acl.resource import ResourceCRUD
from api.lib.perm.acl.resource import ResourceTypeCRUD
from api.lib.perm.acl.role import RoleCRUD
from api.lib.perm.acl.user import UserCRUD
from api.lib.secrets.inner import KeyMange
from api.lib.secrets.secrets import InnerKVManger
from api.lib.secrets.inner import KeyManage
from api.lib.secrets.inner import global_key_threshold
from api.lib.secrets.secrets import InnerKVManger
from api.models.acl import App
from api.models.acl import ResourceType
from api.models.cmdb import Attribute
@@ -57,6 +56,7 @@ def cmdb_init_cache():
if relations:
rd.create_or_update(relations, REDIS_PREFIX_CI_RELATION)
es = None
if current_app.config.get("USE_ES"):
from api.extensions import es
from api.models.cmdb import Attribute
@@ -323,25 +323,20 @@ def cmdb_inner_secrets_init():
"""
init inner secrets for password feature
"""
KeyMange(backend=InnerKVManger).init()
KeyManage(backend=InnerKVManger).init()
@click.command()
@click.option(
'-k',
'--token',
help='root token',
)
@with_appcontext
def cmdb_inner_secrets_unseal(token):
def cmdb_inner_secrets_unseal():
"""
unseal the secrets feature
"""
for i in range(global_key_threshold):
token = click.prompt(f'Enter token {i+1}', hide_input=True, confirmation_prompt=False)
token = click.prompt(f'Enter token {i + 1}', hide_input=True, confirmation_prompt=False)
assert token is not None
res = KeyMange(backend=InnerKVManger).unseal(token)
KeyMange.print_response(res)
res = KeyManage(backend=InnerKVManger).unseal(token)
KeyManage.print_response(res)
@click.command()
@@ -358,8 +353,8 @@ def cmdb_inner_secrets_seal(token):
seal the secrets feature
"""
assert token is not None
res = KeyMange(backend=InnerKVManger()).seal(token)
KeyMange.print_response(res)
res = KeyManage(backend=InnerKVManger()).seal(token)
KeyManage.print_response(res)
@click.command()
@@ -368,7 +363,49 @@ def cmdb_inner_secrets_auto_seal():
"""
auto seal the secrets feature
"""
res = KeyMange(current_app.config.get("INNER_TRIGGER_TOKEN"), backend=InnerKVManger()).auto_unseal()
KeyMange.print_response(res)
res = KeyManage(current_app.config.get("INNER_TRIGGER_TOKEN"), backend=InnerKVManger()).auto_unseal()
KeyManage.print_response(res)
@click.command()
@with_appcontext
def cmdb_password_data_migrate():
"""
Migrate CI password data, version >= v2.3.6
"""
from api.models.cmdb import CIIndexValueText
from api.models.cmdb import CIValueText
from api.lib.secrets.inner import InnerCrypt
from api.lib.secrets.vault import VaultClient
attrs = Attribute.get_by(to_dict=False)
for attr in attrs:
if attr.is_password:
value_table = CIIndexValueText if attr.is_index else CIValueText
for i in value_table.get_by(attr_id=attr.id, to_dict=False):
if current_app.config.get("SECRETS_ENGINE", 'inner') == 'inner':
_, status = InnerCrypt().decrypt(i.value)
if status:
continue
encrypt_value, status = InnerCrypt().encrypt(i.value)
if status:
CIValueText.create(ci_id=i.ci_id, attr_id=attr.id, value=encrypt_value)
else:
continue
elif current_app.config.get("SECRETS_ENGINE") == 'vault':
if i.value == '******':
continue
vault = VaultClient(current_app.config.get('VAULT_URL'), current_app.config.get('VAULT_TOKEN'))
try:
vault.update("/{}/{}".format(i.ci_id, i.attr_id), dict(v=i.value))
except Exception as e:
print('save password to vault failed: {}'.format(e))
continue
else:
continue
i.delete()